diff --git a/doc/Changelog b/doc/Changelog
index e4af5412c..47f28ff26 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+25 June 2012: Wouter
+	- disable RSAMD5 if in FIPS mode (when compiled with openssl).
+
 22 June 2012: Wouter
 	- implement DS records, NSEC3 and ECDSA for compile with libnss.
 
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 5cd8cb704..659627090 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -150,11 +150,14 @@ int
 dnskey_algo_id_is_supported(int id)
 {
 	switch(id) {
+	case LDNS_RSAMD5:
+		/* openssl can return if the system is in FIPS mode, 
+		 * which does not allow MD5 hashes for network traffic */
+		return !FIPS_mode();
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
-	case LDNS_RSAMD5:
 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
 	case LDNS_RSASHA256:
 #endif